Last updated on April 23, 2015
Some CIBC Visa customers are experiencing an unusually high amount of fraud.
It seems scammers have figured out a way to determine a credit card’s number and expiry date before it’s even been issued in what the Canadian Bankers Association refers to as sequencing fraud.
Alex Pavlovic, an Ontario resident, has been issued 10 CIBC credit cards in the past few months. He explains to CBC News that the previous nine cards were all compromised, some, before they were even validated.
Pavlovic says he used his CIBC Aeroplan credit card at a gas station and a CIBC bank machine. “Ever since that moment … I started getting replacement cards from CIBC. I have a collection of 10 cards right now,” he said in a CBC interview.
“In some cases I’ve been able to use them for a day or two, in some cases for a couple of hours, and in some cases, I haven’t been able to use them at all, because by the time I would get them, they would always be — as the bank calls it — compromised or hacked.”
When he questioned CIBC’s fraud department, he says “Only once was I told that this is what they call sequencing fraud.
“It seems somehow the hacking team or the hackers have been able to get a hold of banking ‘enigma’ code so they’re able to generate the exact same sequence of the card that I would be receiving in the mail.”
CIBC confirms his was a rare case of sequencing fraud.
The association says they do not have specific figures on sequencing fraud, but do track overall credit card fraud. Their most recent number show in 2013, sequencing fraud scammers made $465,135,009 worth of charges against Canadian credit cards and is a number that continues to climb.
Urs Hengartner, a security expert and professor of computer science at the University of Waterloo, explains that CIBC Aeroplan Infinite Visa uses the same numbers at the beginning of every card.
These initial eight numbers act as a bank identifier like most Canadian credit cards, and since the first eight numbers will always be the same, fraudsters need to only guess at the last eight numbers.
He says this leaves a certain amount of possible combinations for the remaining numbers and, with a computer, is something the scammers have figured out. Even with 10 million possible combinations, he says, “Anything is possible … the space is very large but it’s not overly large. So yes, you can figure out somebody’s number.
“But you also need additional information to be useful — you need the PIN, you need the address, you need the three digits on the back of the card.”
Brian Krebs, a cybercrime specialist, says the three-digit security code is no longer an effective barrier because these fraudsters have the technology to figure out the three-digit code on the back of the cards.
CIBC says it’s changing the way it operates.